Here is the info I have from CheckPoint and other resources. 

Once the packet is received at the firewall, FireWall-1 processes the packet according to the following steps:

1.	Checks to see if the packet is part of an established connection. Because this is
	a new connection, there is no record of the packet in the connections table, so the
	connection must be checked against the security policy.

2.	Checks IP Options. If the packet is denied because of this check, you will see a
	drop on Rule 0 in the Log Viewer, assuming that IP Options logging is enabled.

3.	Performs an anti-spoofing check on the external interface. The source of the packet
	is compared against the valid address setting. If the packet is denied because of
	this check, you will see a drop on Rule 0 in the Log Viewer, assuming that anti-spoof
	logging is enabled on that interface. The remote end of the connection will see a
	"connection timed out" message.

4.	Checks properties and the rulebase.

5.	The OS routes the packet. The OS determines that in order to communicate with
	internal host (destination), it needs to route the packet out the internal interface.

6.	Performs IP Options and anti-spoofing checking on the internal interface. The
	destination of the packet is compared against the valid address setting. If the
	packet is denied because of this check, you will see a reject on Rule 0 in the
	Log Viewer, assuming that anti-spoofing logging is enabled on that interface.
	The remote end of the connection will receive a reset, which means a client
	application will see a "connection refused" message.

7.	Checks properties and the rulebase. Properties are always checked outbound as
	well as inbound. A rule's check depends on how you have installed it and how you
	are enforcing gateway rules.

8.	The packet proceeds through the address translation rules. If there was a matching
	NAT rule, this is where NAT would take place. 

9.	The packet is sent directly to the internal host

The important detail to note in this process is that NAT is not done until near the very
end, that is, after the packet has been routed and has gone through the security policy,
but before the packet leaves the gateway. When you do NAT, it means you must make sure
that the untranslated packet can pass through your anti-spoofing checks and your rulebase.



-- Comment Posted by: smikame@ipv4sec.com --

In fact, you can check the packet inspection order/chain using 'fw ctl chain' command.
The 'in chain' is for inbound traffic inspection order. The 'out chain' for outbound traffic.

=====================================
VPN firewall example: 
=====================================

vpn-firewall$ fw ctl chain
in chain (12):
        0: -7f800000 (00000000780f147c) IP Options Strip (ipopt_strip)
        1: - 2000000 (00000000788e30a0) vpn decrypt (vpn)
        2: - 1fffff6 (00000000780f308c) Stateless verifications (asm)
        3: - 1fffff0 (00000000788e2528) vpn decrypt verify (vpn_ver)
        4: - 1000000 (000000007813d138) SecureXL conn sync (secxl_sync)
        5:         0 (0000000078066290) fw VM inbound  (fw)
        6:   2000000 (00000000788e56cc) vpn policy inbound (vpn_pol)
        7:  10000000 (000000007813d338) SecureXL inbound (secxl)
        8:  7f600000 (00000000780e76f0) fw SCV inbound (scv)
        9:  7f750000 (000000007825bdc0) TCP streaming (in) (cpas)
        10:  7f800000 (00000000780f18d8) IP Options Restore (ipopt_res)
        11:  7fb00000 (000000007823fbcc) HA Forwarding (ha_for)
out chain (10):
        0: -7f800000 (00000000780f147c) IP Options Strip (ipopt_strip)
        1: -7f400000 (000000007825c19c) TCP streaming (out) (cpas)
        2: - 1ffffff (00000000788e22a0) vpn nat outbound (vpn_nat)
        3: - 1f00000 (00000000780f308c) Stateless verifications (asm)
        4:         0 (0000000078066290) fw VM outbound (fw)
        5:   2000000 (00000000788e4f08) vpn policy outbound (vpn_pol)
        6:  10000000 (000000007813d338) SecureXL outbound (secxl)
        7:  20000000 (00000000788e3d28) vpn encrypt (vpn)
        8:  7f700000 (000000007825c55c) TCP streaming post VM (cpas)
        9:  7f800000 (00000000780f18d8) IP Options Restore (ipopt_res)
vpn-firewall$

=====================================
Standard firewall example: (Non VPN)
=====================================

firewall$ fw ctl chain
in chain (9):
        0: -7f800000 (00000000780f347c) IP Options Strip (ipopt_strip)
        1: - 1fffff6 (00000000780f508c) Stateless verifications (asm)
        2: - 1000000 (000000007813f138) SecureXL conn sync (secxl_sync)
        3:         0 (0000000078068290) fw VM inbound  (fw)
        4:  10000000 (000000007813f338) SecureXL inbound (secxl)
        5:  7f600000 (00000000780e96f0) fw SCV inbound (scv)
        6:  7f750000 (000000007825ddc0) TCP streaming (in) (cpas)
        7:  7f800000 (00000000780f38d8) IP Options Restore (ipopt_res)
        8:  7fb00000 (0000000078241bcc) HA Forwarding (ha_for)
out chain (7):
        0: -7f800000 (00000000780f347c) IP Options Strip (ipopt_strip)
        1: -7f400000 (000000007825e19c) TCP streaming (out) (cpas)
        2: - 1f00000 (00000000780f508c) Stateless verifications (asm)
        3:         0 (0000000078068290) fw VM outbound (fw)
        4:  10000000 (000000007813f338) SecureXL outbound (secxl)
        5:  7f700000 (000000007825e55c) TCP streaming post VM (cpas)
        6:  7f800000 (00000000780f38d8) IP Options Restore (ipopt_res)
firewall$

--------------------------------------------